Bug 1733956 (CVE-2017-12652) - CVE-2017-12652 libpng: does not check length of chunks against user limit
Summary: CVE-2017-12652 libpng: does not check length of chunks against user limit
Alias: CVE-2017-12652
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1744870 1744871
Blocks: 1733957
TreeView+ depends on / blocked
Reported: 2019-07-29 10:29 UTC by Dhananjay Arunesh
Modified: 2023-12-15 16:39 UTC (History)
3 users (show)

Fixed In Version: libpng 1.6.32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-09-29 21:58:20 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3901 0 None None None 2020-09-29 19:43:47 UTC

Description Dhananjay Arunesh 2019-07-29 10:29:44 UTC
A vulnerability was found in libpng before 1.6.32 does not properly check the length of chunks against the user limit.


Comment 1 Huzaifa S. Sidhpurwala 2019-07-30 05:48:12 UTC
Upstream commit: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55

Comment 2 Huzaifa S. Sidhpurwala 2019-08-23 04:41:19 UTC

As per http://www.libpng.org/pub/png/libpng-manual.txt :

"The PNG specification allows the width and height of an image to be as large as 2^31-1 (0x7fffffff), or about 2.147 billion rows and columns. For safety, libpng imposes a default limit of 1 million rows and columns. Larger images will be rejected immediately with a png_error() call. If you wish to change these limits, you can use

   png_set_user_limits(png_ptr, width_max, height_max);

to set your own limits (libpng may reject some very wide images anyway because of potential buffer overflow conditions)."

A flaw was found in libpng where this limit was not checked by the library. This could potentially result in bigger images to be parsed by the library, (bigger sizes than imposed by the user_limit set earlier), which could result in DoS via memory exhaustion.

This seems difficult to exploit, mainly because the attacker needs to be allowed to parse large images via an application compiled against libpng on the affected system.

Comment 6 errata-xmlrpc 2020-09-29 19:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3901 https://access.redhat.com/errata/RHSA-2020:3901

Comment 7 Product Security DevOps Team 2020-09-29 21:58:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.